gismo137
(Gismo137)
29 Kwiecień 2007 18:43
#1
witam, skanowałem komputer evido on-line, które wykryło trojan delf.mg
jak to usunąć?
__________________________________________________
ewido anti-spyware online scanner
http://www.ewido.net
__________________________________________________
Name: TrackingCookie.Adocean Path: C:\Documents and Settings\adamiak.ADAMIAK-45BC0C1\Cookies\adamiak@gde.adocean[1].txt Risk: Medium Name: TrackingCookie.Gemius Path: C:\Documents and Settings\adamiak.ADAMIAK-45BC0C1\Cookies\adamiak@hit.gemius[2].txt Risk: Medium Name: TrackingCookie.Gemius Path: :mozilla.18:C:\Documents and Settings\adamiak.ADAMIAK-45BC0C1\Dane aplikacji\Mozilla\Firefox\Profiles\hrnjfjqb.default\cookies.txt Risk: Medium Name: TrackingCookie.Gemius Path: :mozilla.19:C:\Documents and Settings\adamiak.ADAMIAK-45BC0C1\Dane aplikacji\Mozilla\Firefox\Profiles\hrnjfjqb.default\cookies.txt Risk: Medium Name: TrackingCookie.Adocean Path: C:\Documents and Settings\przemek\Cookies\przemek@gde.adocean[1].txt Risk: Medium Name: TrackingCookie.Adocean Path: C:\Documents and Settings\przemek\Cookies\przemek@gg.adocean[1].txt Risk: Medium Name: TrackingCookie.Msn Path: C:\Documents and Settings\przemek\Cookies\przemek@ie.search.msn[2].txt Risk: Medium Name: TrackingCookie.Webtrends Path: C:\Documents and Settings\przemek\Cookies\przemek@m.webtrends[1].txt Risk: Medium Name: TrackingCookie.Gemius Path: :mozilla.19:C:\Documents and Settings\przemek\Dane aplikacji\Mozilla\Firefox\Profiles\aazwewtk.default\cookies.txt Risk: Medium Name: TrackingCookie.Gemius Path: :mozilla.21:C:\Documents and Settings\przemek\Dane aplikacji\Mozilla\Firefox\Profiles\aazwewtk.default\cookies.txt Risk: Medium Name: TrackingCookie.Adocean Path: :mozilla.37:C:\Documents and Settings\przemek\Dane aplikacji\Mozilla\Firefox\Profiles\aazwewtk.default\cookies.txt Risk: Medium Name: TrackingCookie.Adocean Path: :mozilla.38:C:\Documents and Settings\przemek\Dane aplikacji\Mozilla\Firefox\Profiles\aazwewtk.default\cookies.txt Risk: Medium Name: TrackingCookie.Adocean Path: :mozilla.39:C:\Documents and Settings\przemek\Dane aplikacji\Mozilla\Firefox\Profiles\aazwewtk.default\cookies.txt Risk: Medium Name: TrackingCookie.Adocean Path: :mozilla.40:C:\Documents and Settings\przemek\Dane aplikacji\Mozilla\Firefox\Profiles\aazwewtk.default\cookies.txt Risk: Medium Name: TrackingCookie.Com Path: :mozilla.70:C:\Documents and Settings\przemek\Dane aplikacji\Mozilla\Firefox\Profiles\aazwewtk.default\cookies.txt Risk: Medium Name: TrackingCookie.Adocean Path: :mozilla.75:C:\Documents and Settings\przemek\Dane aplikacji\Mozilla\Firefox\Profiles\aazwewtk.default\cookies.txt Risk: Medium Name: TrackingCookie.Adocean Path: :mozilla.76:C:\Documents and Settings\przemek\Dane aplikacji\Mozilla\Firefox\Profiles\aazwewtk.default\cookies.txt Risk: Medium Name: TrackingCookie.Webtrends Path: :mozilla.82:C:\Documents and Settings\przemek\Dane aplikacji\Mozilla\Firefox\Profiles\aazwewtk.default\cookies.txt Risk: Medium Name: TrackingCookie.Webtrends Path: :mozilla.83:C:\Documents and Settings\przemek\Dane aplikacji\Mozilla\Firefox\Profiles\aazwewtk.default\cookies.txt Risk: Medium Name: TrackingCookie.Paypal Path: :mozilla.86:C:\Documents and Settings\przemek\Dane aplikacji\Mozilla\Firefox\Profiles\aazwewtk.default\cookies.txt Risk: Medium Name: TrackingCookie.Skype Path: :mozilla.87:C:\Documents and Settings\przemek\Dane aplikacji\Mozilla\Firefox\Profiles\aazwewtk.default\cookies.txt Risk: Medium Name: TrackingCookie.Tradedoubler Path: :mozilla.88:C:\Documents and Settings\przemek\Dane aplikacji\Mozilla\Firefox\Profiles\aazwewtk.default\cookies.txt Risk: Medium Name: TrackingCookie.Tradedoubler Path: :mozilla.89:C:\Documents and Settings\przemek\Dane aplikacji\Mozilla\Firefox\Profiles\aazwewtk.default\cookies.txt Risk: Medium Name: TrackingCookie.Skype Path: :mozilla.90:C:\Documents and Settings\przemek\Dane aplikacji\Mozilla\Firefox\Profiles\aazwewtk.default\cookies.txt Risk: Medium Name: Adware.Whenu Path: C:\System Volume Information_restore{4C448505-9E6E-481E-99A3-FB3D8A752D94}\RP481\A0179607.exe Risk: Medium Name: Trojan.Delf.mg Path: D:\instalki22\Odkurzacz\Odkurzacz\Skins\VistaXP-VISTAXPB2.skn Risk: High Name: Adware.SaveNow Path: D:\System Volume Information_restore{4C448505-9E6E-481E-99A3-FB3D8A752D94}\RP481\A0179903.exe Risk: Medium Name: TrackingCookie.Gemius Path: :mozilla.7:E:\Firefox 2.0.0.2 (pl) - 2007-03-09.pcv/cookies.txt Risk: Medium Name: TrackingCookie.Gemius Path: :mozilla.8:E:\Firefox 2.0.0.2 (pl) - 2007-03-09.pcv/cookies.txt Risk: Medium Name: TrackingCookie.Adocean Path: :mozilla.26:E:\Firefox 2.0.0.2 (pl) - 2007-03-09.pcv/cookies.txt Risk: Medium Name: TrackingCookie.Adocean Path: :mozilla.27:E:\Firefox 2.0.0.2 (pl) - 2007-03-09.pcv/cookies.txt Risk: Medium Name: TrackingCookie.Adocean Path: :mozilla.57:E:\Firefox 2.0.0.2 (pl) - 2007-03-09.pcv/cookies.txt Risk: Medium Name: TrackingCookie.Adocean Path: :mozilla.58:E:\Firefox 2.0.0.2 (pl) - 2007-03-09.pcv/cookies.txt Risk: Medium Name: TrackingCookie.Adocean Path: :mozilla.63:E:\Firefox 2.0.0.2 (pl) - 2007-03-09.pcv/cookies.txt Risk: Medium Name: TrackingCookie.Adocean Path: :mozilla.64:E:\Firefox 2.0.0.2 (pl) - 2007-03-09.pcv/cookies.txt Risk: Medium Name: TrackingCookie.Adocean Path: :mozilla.79:E:\Firefox 2.0.0.2 (pl) - 2007-03-09.pcv/cookies.txt Risk: Medium Name: TrackingCookie.Adocean Path: :mozilla.80:E:\Firefox 2.0.0.2 (pl) - 2007-03-09.pcv/cookies.txt Risk: Medium Name: TrackingCookie.Toplist Path: :mozilla.101:E:\Firefox 2.0.0.2 (pl) - 2007-03-09.pcv/cookies.txt Risk: Medium Name: TrackingCookie.Itrack Path: :mozilla.139:E:\Firefox 2.0.0.2 (pl) - 2007-03-09.pcv/cookies.txt Risk: Medium Name: TrackingCookie.Itrack Path: :mozilla.140:E:\Firefox 2.0.0.2 (pl) - 2007-03-09.pcv/cookies.txt Risk: Medium log z silent runners: “Silent Runners.vbs”, revision R50, http://www.silentrunners.org/ Operating System: Windows XP SP2 Output limited to non-default values, except where indicated by “{++}” Startup items buried in registry: --------------------------------- HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ {++} “RocketDock” = ““D:\instalki22\google desktop\RocketDock\RocketDock.exe”” [null data] “Gadu-Gadu” = ““D:\instalki\GaduGadu77\Gadu-Gadu\gg.exe” /tray” [“Gadu-Gadu S.A.”] “Komunikator” = “D:\instalki22\komunikator internet\Tlen.pl\tlen.exe” [“o2.pl Sp. z o.o.”] HKLM\Software\Microsoft\Windows\CurrentVersion\Run\ {++} “Skrót do strony właściwości High Definition Audio” = “HDAShCut.exe” [“Windows ® Server 2003 DDK provider”] “LXCCCATS” = “rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXCCtime.dll,_RunDLLEntry@16” [MS] “lxccmon.exe” = ““C:\Program Files\Lexmark 3300 Series\lxccmon.exe”” [“Lexmark International, Inc.”] “FaxCenterServer” = ““C:\Program Files\Lexmark Fax Solutions\fm3032.exe” /s” [null data] “NeroFilterCheck” = “C:\WINDOWS\system32\NeroCheck.exe” [“Ahead Software Gmbh”] “LClock” = “C:\Program Files\LClock\LClock.exe” [null data] “Vista Sidebar” = “C:\Program Files\Vista Sidebar\sidebar.exe” [null data] “Blaero Start Orb” = “C:\Program Files\Blaero Start Orb\Blaero Start Orb.exe” [null data] “AVG7_CC” = “C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP” [“GRISOFT, s.r.o.”] “WellPhone DirectSync - ScheduleSync” = “D:\instalki\WELLPH~1\SCHEDU~1.EXE” [empty string] “Picasa Media Detector” = “D:\instalki\Picasa\Picasa2\PicasaMediaDetector.exe” [“Google Inc.”] “Ad Muncher” = “M:\Program Files\Ad Muncher\AdMunch.exe /bt” [null data] HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\ {53707962-6F74-2D53-2644-206D7942484F}(Default) = (no title provided) -> {HKLM…CLSID} = (no title provided) \InProcServer32(Default) = “D:\INSTAL~1\SPYBOT~1\SPYBOT~1\SDHelper.dll” [“Safer Networking Limited”] HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\ “{42071714-76d4-11d1-8b24-00a0c9068ff3}” = “Rozszerzenie CPL kadrowania wyświetlania” -> {HKLM…CLSID} = “Rozszerzenie CPL kadrowania wyświetlania” \InProcServer32(Default) = “deskpan.dll” [file not found] “{88895560-9AA2-1069-930E-00AA0030EBC8}” = “Rozszerzenie ikony HyperTerminalu” -> {HKLM…CLSID} = “HyperTerminal Icon Ext” \InProcServer32(Default) = “C:\WINDOWS\system32\hticons.dll” [“Hilgraeve, Inc.”] “{B327765E-D724-4347-8B16-78AE18552FC3}” = “NeroDigitalIconHandler” -> {HKLM…CLSID} = “NeroDigitalIconHandler Class” \InProcServer32(Default) = “C:\Program Files\Common Files\Ahead\Lib\NeroDigitalExt.dll” [“Nero AG”] “{7F1CF152-04F8-453A-B34C-E609530A9DC8}” = “NeroDigitalPropSheetHandler” -> {HKLM…CLSID} = “NeroDigitalPropSheetHandler Class” \InProcServer32(Default) = “C:\Program Files\Common Files\Ahead\Lib\NeroDigitalExt.dll” [“Nero AG”] “{9F97547E-4609-42C5-AE0C-81C61FFAEBC3}” = “AVG7 Shell Extension” -> {HKLM…CLSID} = “AVG7 Shell Extension Class” \InProcServer32(Default) = “C:\Program Files\Grisoft\AVG7\avgse.dll” [“GRISOFT, s.r.o.”] “{9F97547E-460A-42C5-AE0C-81C61FFAEBC3}” = “AVG7 Find Extension” -> {HKLM…CLSID} = “AVG7 Find Extension Class” \InProcServer32(Default) = “C:\Program Files\Grisoft\AVG7\avgse.dll” [“GRISOFT, s.r.o.”] “{CA5FEE26-14C1-4B5A-86E9-233FC0EE2682}” = “IZArc DragDrop Menu” -> {HKLM…CLSID} = “IZArc DragDrop Menu” \InProcServer32(Default) = “D:\instalki\IZARC\IZArc\IZArcCM.dll” [null data] “{8D9D4D0D-FDDD-44CB-AAB2-6161FA0757C5}” = “IZArc Shell Context Menu” -> {HKLM…CLSID} = “IZArc Shell Context Menu” \InProcServer32(Default) = “D:\instalki\IZARC\IZArc\IZArcCM.dll” [null data] “{2B3453E4-49DF-11D3-8229-0080BE509050}” = “GMail Drive” -> {HKLM…CLSID} = “GMail Drive” \InProcServer32(Default) = “C:\WINDOWS\system32\ShellExt\GMailFS.dll” [“Bjarke Viksoe”] “{2B3453E4-49DF-11D3-8229-0080BE509052}” = “GMailFS Property Sheet” -> {HKLM…CLSID} = “GMailFS Property Sheet” \InProcServer32(Default) = “C:\WINDOWS\system32\ShellExt\GMailFS.dll” [“Bjarke Viksoe”] “{2B3453E4-49DF-11D3-8229-0080BE509054}” = “GMailFS Drop Handler” -> {HKLM…CLSID} = “GMailFS Drop Handler” \InProcServer32(Default) = “C:\WINDOWS\system32\ShellExt\GMailFS.dll” [“Bjarke Viksoe”] “{2B3453E4-49DF-11D3-8229-0080BE509056}” = “GMailFS Context Menu” -> {HKLM…CLSID} = “GMailFS Context Menu” \InProcServer32(Default) = “C:\WINDOWS\system32\ShellExt\GMailFS.dll” [“Bjarke Viksoe”] “{C52AF81D-F7A0-4AAB-8E87-F80A60CCD396}” = “OpenOffice.org Column Handler” -> {HKLM…CLSID} = (no title provided) \InProcServer32(Default) = ““D:\instalki\open office\program\shlxthdl.dll”” [“Sun Microsystems, Inc.”] “{087B3AE3-E237-4467-B8DB-5A38AB959AC9}” = “OpenOffice.org Infotip Handler” -> {HKLM…CLSID} = (no title provided) \InProcServer32(Default) = ““D:\instalki\open office\program\shlxthdl.dll”” [“Sun Microsystems, Inc.”] “{63542C48-9552-494A-84F7-73AA6A7C99C1}” = “OpenOffice.org Property Sheet Handler” -> {HKLM…CLSID} = (no title provided) \InProcServer32(Default) = ““D:\instalki\open office\program\shlxthdl.dll”” [“Sun Microsystems, Inc.”] “{3B092F0C-7696-40E3-A80F-68D74DA84210}” = “OpenOffice.org Thumbnail Viewer” -> {HKLM…CLSID} = (no title provided) \InProcServer32(Default) = ““D:\instalki\open office\program\shlxthdl.dll”” [“Sun Microsystems, Inc.”] “{4DF97D4C-9FA0-480a-8DBA-5C5011E90099}” = “WellPhone Multimedia” -> {HKLM…CLSID} = “WellPhone Multimedia” \InProcServer32(Default) = “C:\Program Files\Common Files\SmartCom\Compnts\scshx.dll” [“SmartCom”] HKLM\System\CurrentControlSet\Control\Session Manager\ <> “BootExecute” = “autocheck autochk *”|“pgdfgsvc C 1” [“Sysinternals - http://www.sysinternals.com ”] HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ <> AtiExtEvent\DLLName = “Ati2evxx.dll” [“ATI Technologies Inc.”] HKLM\Software\Classes\Folder\shellex\ColumnHandlers\ {7D4D6379-F301-4311-BEBA-E26EB0561882}(Default) = “NeroDigitalExt.NeroDigitalColumnHandler” -> {HKLM…CLSID} = “NeroDigitalColumnHandler Class” \InProcServer32(Default) = “C:\Program Files\Common Files\Ahead\Lib\NeroDigitalExt.dll” [“Nero AG”] {C52AF81D-F7A0-4AAB-8E87-F80A60CCD396}(Default) = “OpenOffice.org Column Handler” -> {HKLM…CLSID} = (no title provided) \InProcServer32(Default) = ““D:\instalki\open office\program\shlxthdl.dll”” [“Sun Microsystems, Inc.”] HKLM\Software\Classes*\shellex\ContextMenuHandlers\ AVG7 Shell Extension(Default) = “{9F97547E-4609-42C5-AE0C-81C61FFAEBC3}” -> {HKLM…CLSID} = “AVG7 Shell Extension Class” \InProcServer32(Default) = “C:\Program Files\Grisoft\AVG7\avgse.dll” [“GRISOFT, s.r.o.”] IZArcCM(Default) = “{8D9D4D0D-FDDD-44CB-AAB2-6161FA0757C5}” -> {HKLM…CLSID} = “IZArc Shell Context Menu” \InProcServer32(Default) = “D:\instalki\IZARC\IZArc\IZArcCM.dll” [null data] HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\ IZArcCM(Default) = “{8D9D4D0D-FDDD-44CB-AAB2-6161FA0757C5}” -> {HKLM…CLSID} = “IZArc Shell Context Menu” \InProcServer32(Default) = “D:\instalki\IZARC\IZArc\IZArcCM.dll” [null data] HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\ AVG7 Shell Extension(Default) = “{9F97547E-4609-42C5-AE0C-81C61FFAEBC3}” -> {HKLM…CLSID} = “AVG7 Shell Extension Class” \InProcServer32(Default) = “C:\Program Files\Grisoft\AVG7\avgse.dll” [“GRISOFT, s.r.o.”] Group Policies {GPedit.msc branch and setting}: ----------------------------------------------- Note: detected settings may not have any effect. HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System\ “DisableRegistryTools” = (REG_DWORD) hex:0x00000000 {User Configuration|Administrative Templates|System| Prevent access to registry editing tools} HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\ “shutdownwithoutlogon” = (REG_DWORD) hex:0x00000001 {Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options| Shutdown: Allow system to be shut down without having to log on} “undockwithoutlogon” = (REG_DWORD) hex:0x00000001 {Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options| Devices: Allow undock without having to log on} Active Desktop and Wallpaper: ----------------------------- Active Desktop may be disabled at this entry: HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState Displayed if Active Desktop enabled and wallpaper not set by Group Policy: HKCU\Software\Microsoft\Internet Explorer\Desktop\General\ “Wallpaper” = “C:\WINDOWS\system32\config\systemprofile\Ustawienia lokalne\Dane aplikacji\Microsoft\Wallpaper1.bmp” Displayed if Active Desktop disabled and wallpaper not set by Group Policy: HKCU\Control Panel\Desktop\ “Wallpaper” = “C:\Documents and Settings\adamiak.ADAMIAK-45BC0C1\Ustawienia lokalne\Dane aplikacji\Microsoft\Wallpaper1.bmp” Enabled Screen Saver: --------------------- HKCU\Control Panel\Desktop\ “SCRNSAVE.EXE” = “C:\WINDOWS\system32\logon.scr” [MS] Startup items in “adamiak” & “All Users” startup folders: --------------------------------------------------------- C:\Documents and Settings\All Users.WINDOWS\Menu Start\Programy\Autostart “TB-Tray” -> shortcut to: “D:\instalki\Thunderbird\Thunderbird-Tray\TBTray.exe” [“Felix ‘SniperBeamer’ Geyer”] Winsock2 Service Provider DLLs: ------------------------------- Namespace Service Providers HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++} 000000000001\LibraryPath = “%SystemRoot%\System32\mswsock.dll” [MS] 000000000002\LibraryPath = “%SystemRoot%\System32\winrnr.dll” [MS] 000000000003\LibraryPath = “%SystemRoot%\System32\mswsock.dll” [MS] Transport Service Providers HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++} 0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range: %SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 19 %SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05 Running Services (Display Name, Service Name, Path {Service DLL}): ------------------------------------------------------------------ Ati HotKey Poller, Ati HotKey Poller, “C:\WINDOWS\system32\Ati2evxx.exe” [“ATI Technologies Inc.”] AVG E-mail Scanner, AVGEMS, “C:\PROGRA~1\Grisoft\AVG7\avgemc.exe” [“GRISOFT, s.r.o.”] AVG7 Alert Manager Server, Avg7Alrt, “C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe” [“GRISOFT, s.r.o.”] AVG7 Update Service, Avg7UpdSvc, “C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe” [“GRISOFT, s.r.o.”] BlueSoleil Hid Service, BlueSoleil Hid Service, “C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe” [null data] lxcc_device, lxcc_device, “C:\WINDOWS\system32\lxcccoms.exe -service” [“Lexmark International, Inc.”] Print Monitors: --------------- HKLM\System\CurrentControlSet\Control\Print\Monitors\ 3300 Series Port\Driver = “lxcclmpm.DLL” [“Lexmark International, Inc.”] Lexmark Print-2-Fax Port\Driver = “LXPRMON.DLL” [null data] ---------- <>: Suspicious data at a malware launch point. + This report excludes default entries except where indicated. + To see *everywhere* the script checks and *everything* it finds, launch it from a command prompt or a shortcut with the -all parameter. + The search for DESKTOP.INI DLL launch points on all local fixed drives took 74 seconds. ---------- (total run time: 109 seconds)
adam9870
(adam9870)
29 Kwiecień 2007 21:44
#2
Otwórz Notatnik i wklej w nim to:
Windows Registry Editor Version 5.00 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager] “BootExecute”=hex(7):61,00,75,00,74,00,6f,00,63,00,68,00,65,00,63,00,6b,00,20,\ 00,61,00,75,00,74,00,6f,00,63,00,68,00,6b,00,20,00,2a,00,00,00,00,00
Plik >>> Zapisz jako >>> Zmień rozszerzenie z TXT na Wszystkie pliki >>> Zapisz pod nazwą FIX.REG >>> kliknij dwa razy na utworzony plik FIX.REG i potwierdź dodanie do rejestru >>> restart.
Ewido nic groźnego nie znalazł, a jedynie całkowicie nieszkodliwe cookie. Możesz je usunąć ale potem będziesz musiał na nowo ustawiać takie rzeczy jak autologowanie na forach internetowych.
gismo137
(Gismo137)
30 Kwiecień 2007 17:50
#3
ok, zrobione,
a co z tym :Name: Trojan.Delf.mg
Path: D:\instalki22\Odkurzacz\Odkurzacz\Skins\VistaXP-VISTAXPB2.skn
Risk: High
matio
(matio)
30 Kwiecień 2007 17:55
#4
Poprostu usuń skin Visty do “Odkurzacza”